According to a recent report by Sophos, lapses in identity are responsible for 79% of ransomware attacks, highlighting a critical area of concern for cybersecurity decision-makers. The report emphasizes that many of these attacks focus on securing or exploiting credentials, underscoring the need for a robust identity management strategy. With 67% of ransomware victims indicating that their incident was also their most significant identity attack, the findings call for immediate attention to identity security as a fundamental aspect of an organization’s overall cybersecurity posture. The report is part of Sophos’s annual study, which provides valuable insights into the evolving threat landscape.
Key Findings on Ransomware Entry Points
The Sophos report reveals that alongside identity-related breaches, other significant access points for ransomware include malicious emails (26%) and phishing attacks (24%). Notably, the prevalence of exploited vulnerabilities, which had been the leading cause of ransomware incidents for the past three years, has decreased to 18%, a drop of 14 percentage points from the previous year. This shift indicates a changing strategy among attackers, who are increasingly leveraging stolen credentials rather than exploiting software vulnerabilities.
The Role of Stolen Credentials
Kevin Surace, CEO of TokenCore, noted that attackers have shifted their tactics, stating, “Attackers have realized they no longer need to hack through firewalls when they can simply log in with stolen credentials.” This change highlights the evolving nature of cybersecurity threats, where identity has become the new perimeter. The report also points out that advancements in AI have made phishing attempts nearly indistinguishable from legitimate communications, further complicating the landscape for organizations.
Challenges with Multi-Factor Authentication (MFA)
Despite the implementation of multi-factor authentication (MFA) in many organizations, the report indicates that 97% of those breached through compromised credentials had MFA enabled. Roman Sannikov, global research coordinator at iCounter, emphasized that not all MFA solutions are equally effective. Some organizations still rely on SMS or email for MFA codes, which can be compromised if an attacker has already gained access to a user’s credentials. This raises questions about the effectiveness of current MFA practices and the need for stronger identity verification methods.
Operational Implications for Security Leaders
Security experts agree that merely having MFA is not sufficient. Jacob Krell, senior director at Suzu Labs, pointed out that MFA does not protect against stolen session tokens or API keys, which can be exploited in the background. The focus should shift from merely catching ransomware payloads to preventing credential acquisition altogether. Shane Barney, CISO at Keeper Security, echoed this sentiment, stating that once attackers obtain a legitimate identity, they can navigate through an environment undetected, escalating privileges and deploying ransomware before detection.
Recommendations for Strengthening Identity Security
To mitigate the risks associated with credential theft, organizations must adopt a zero-trust approach and implement strong identity governance. This includes ensuring visibility into who has access to what resources and the ability to revoke access quickly when credentials are compromised. As the landscape of cyber threats continues to evolve, organizations that fail to adapt their identity management strategies will likely find themselves at greater risk.
For more detailed insights, refer to the full report by Sophos.


